Gallery

You've been Conficked...

Posted on 30 Mar 2009 at 15:52

Davey Winder gets to grips with the Conficker worm and discovers that prevention is better than cure.

How can I get rid of Conficker?

Assuming that you're not going to wait for those rogue removal tools to arrive - and there will probably be a few already doing the rounds by the time you read this, even if Conficker itself hasn't started bombing desktops - then you'll need to settle upon a sensible removal strategy if you're unfortunate enough to find the worm residing on your computers. First, remember that you'll have to effectively isolate each machine on the network to prevent it being reinfected by others that you've yet to disinfect. Second, try the easy approach, by which I mean contacting your security vendor's support people to see if they have a removal tool available. Alternatively, try Microsoft's Malicious Software Removal tool, which has been updated to remove the Conficker family: this is a standalone binary that you can download (via a clean machine if yours prevents access) from http://support.microsoft.com/kb/890830. Users of the Microsoft Desktop Optimisation Pack 6 at www.microsoft.com/windows/enterprise/technologies/mdop.aspx can also use the Standalone System Sweeper tool. Oh, and don't forget to apply the MS08-067 update to all Windows computers in order to prevent a reinfection.

Microsoft has also provided an in-depth manual removal solution for those who need to get truly hands-on with this. Unfortunately, space prevents me from going through this in detail here, so I suggest that anyone interested visits http://support.microsoft.com/kb/962007 for the full skinny.

Prevention is better than cure

My doctor is very keen on the old maxim that "prevention is better than cure", and this is exactly the approach you should take when talking about IT security. When it comes to Conficker, this means doing a number of things. First, and it's worth repeating so I will, install that MS08-067 security update in full - or at least as fully as your network environment will allow, because for bigger and more diverse business applications that can be problematical. Which is why it's also important to follow a few other steps to shore up those defences. Apart from the obvious one of having strong antivirus solutions in place and using only strong passwords, there are the perhaps less-obvious ones such as disabling the AutoPlay function. Seriously, would you actually miss it? In fact, do you actually use it for anything worthwhile at all? Microsoft has an excellent explanation of how to manage the AutoPlay configuration within your network environment at http://technet.microsoft.com/en-us/magazine/2008.01.securitywatch.aspx.